Meraki

RCocks

Hi,

I've been implementing OAuth 2.0 flow for my demonstration QR code application.

I am confused about the optional "nonce" parameter.

I had anyway planned to add a temporary secret to the `state` which is OAuth2 standard, and to validate against this state to prevent CSRF and prevent replay attacks.

However, I have read the documentation at https://developer.cisco.com/meraki/api-v1/oauth-overview/#oauth-20 .

This mentions a parameter

nonce (optional)

This is interesting, and I assumed could be used for a similar purpose, but the documentation never refers to this parameter or its purpose again.

How is this `nonce` used in the flow?

It does not appear to be attached as a parameter to the callback, what purpose does it have otherwise please?

Oren

I literally wrote the document, and I have no recollection of adding “nonce” there. It’s mandatory for OIDC, but not for the way you’d interact with OAuth.

I’ll remove it from the documentation.

Thanks for flagging this!

View solution in original post

PhilipDAth

I don't know the answer.

I have only used the OAUTH interface from Python. This GitHub has an example.

https://github.com/obrigg/meraki-oauth

sungod

I've not used the Meraki Oath 2 service, but my guess is that the authorisation server simply doesn't have the feature implemented yet.

Presumably if/when it is added, the server would look for a nonce where required, and if it's not present return the nonce_required error and the nonce endpoint that client must use to obtain one.

Maybe someone from Meraki can comment?

RaphaelL

@Oren Sorry to tag you , but this seems like something you would be able to answer 😊

Oren

I literally wrote the document, and I have no recollection of adding “nonce” there. It’s mandatory for OIDC, but not for the way you’d interact with OAuth.

I’ll remove it from the documentation.

Thanks for flagging this!

Meraki

Community

Use of OAuth 2.0 nonce parameter

Use of OAuth 2.0 nonce parameter